Module: sip-router Branch: janakj/postgres Commit: 5bea0d904ef95a2813c10c7d77f1d1a03959f29d URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5bea0d9… Author: Henning Westerholt &lt;henning.westerholt(a)1und1.de&gt; Committer: Henning Westerholt &lt;henning.westerholt(a)1und1.de&gt; Date: Mon Feb 11 14:40:27 2008 +0000 - bugfix for (small) potential buffer overflow in BLOB escaping git-svn-id: https://openser.svn.sourceforge.net/svnroot/openser/trunk@3680 689a6050-402a-0410-94f2-e92a70836424 --- modules/db_postgres/km_db_val.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/modules/db_postgres/km_db_val.c b/modules/db_postgres/km_db_val.c index ee0e45c..c5b914b 100644 --- a/modules/db_postgres/km_db_val.c +++ b/modules/db_postgres/km_db_val.c @@ -263,6 +263,7 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int* case DB_BLOB: l = VAL_BLOB(_v).len; + /* this estimation is not always correct, thus we need to check later again */ if (*_len < (l * 2 + 3)) { LM_ERR("destination buffer too short for blob\n"); return -7; @@ -275,6 +276,10 @@ int db_postgres_val2str(const db_con_t* _con, const db_val_t* _v, char* _s, int* LM_ERR("PQescapeBytea failed\n"); return -7; } + if (tmp_len > *_len) { + LM_ERR("escaped result too long\n"); + return -7; + } memcpy(_s, tmp_s, tmp_len); PQfreemem(tmp_s); tmp_len = strlen(_s);